As part of what is predominantly an Android security issue, a CTO and consultant has discovered a vulnerability in WhatsApp encryption that could allow another app to access and read all of a user’s chat conversations within it.
Bas Bosschert, the CTO at DoubleThink, has posted his own method for accessing WhatsApp chats, and confirms that the vulnerability still exists after yesterday’s big Android update.
Here’s how it works:
WhatsApp for Android stores conversations on the phone’s SD card, which is accessible by many other apps on the phone as long as the user gives those apps the permissions they ask for (many apps ask for full access to the phone). This is an infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp.
From there, a malicious app could access the WhatsApp conversation database. Savvy users will note that this is hardly a hack but more of a problem with Android’s data sandboxing system.
Bosschert built a companion app to test it out, and used a cute loading screen to distract the user while the database files were being uploaded.
In recent releases, WhatsApp has begun encrypting the database to the point where it can not be opened by SQLite, but Bosschert reports that he can decrypt the database with his own Python script.
A step-by-step guide to the hack can be found here.
Facebook will surely be improving WhatsApp security in the next few months following the $19 billion acquisition. But this brings up, yet again, lingering questions about Android infrastructure.
On Android, any app that has full access to the smartphone – many of them do – can access data from other apps and upload it to third parties.
By comparison, Apple doesn’t allow access to data outside of an app’s own sandbox, which stops malicious developers from tinkering with your data through a dummy app, as described above.